fix: allow nlb to be in public subnets

Author: gtoonstra

main.tf

@@ -62,6 +62,7 @@ module "load_balancer" {
   vpc_id                 = local.vpc_id
   vpc_cidr               = local.vpc_cidr
   vpc_subnets            = var.lb_internal ? local.vpc_private_subnets : local.vpc_public_subnets
+  lb_nlb_subnets         = var.lb_nlb_internal ? local.vpc_private_subnets : local.vpc_public_subnets
   security_group_id      = local.lb_security_group_id
   create_ssl_cert        = var.create_ssl_cert
   alb_certificate_domain = var.alb_certificate_domain

modules/load_balancer/main.tf

@@ -150,7 +150,7 @@ resource "aws_lb" "vpces_nlb" {
   name               = "${var.deployment_name}-nlb"
   internal           = true
   load_balancer_type = "network"
-  subnets            = var.vpc_subnets
+  subnets            = var.lb_nlb_subnets
   security_groups    = [var.vpces_security_group_id]
 
   enable_cross_zone_load_balancing = true

modules/load_balancer/variables.tf

@@ -89,6 +89,11 @@ variable "lb_deploy_nlb" {
   description = "Flag if the network load balancer should be deployed (usually for incoming private link)."
 }
 
+variable "lb_nlb_subnets" {
+  type        = list(any)
+  description = "List of subnets to deploy the load balancer in"
+}
+
 variable "vpces_security_group_id" {
   type        = string
   default     = ""

variables.tf

@@ -375,6 +375,12 @@ variable "lb_deploy_nlb" {
   description = "Flag if the network load balancer should be deployed (usually for incoming private link)."
 }
 
+variable "lb_nlb_internal" {
+  type        = bool
+  default     = true
+  description = "Set to true to make the load balancer internal and not exposed to the internet."
+}
+
 variable "lb_vpces_details" {
   default = null
   type = object({